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Due to the impossibility results of Mayers and Lo/Chau it 
is generally thought that a quantum channel is cryptograph- 
ically strictly weaker than oblivious transfer. 

In this paper we prove that in a three party scenario a quan- 
tum channel can be strictly stronger than oblivious transfer. 
With the protocol introduced in this paper we can completely 
classify the cryptographic strength of quantum multi party 
protocols. 
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I. INTRODUCTION 

In a multi party protocol a set P of players wants 
to correctly compute a function f(a%, . . . , a n ) which de- 
pends on secret inputs of n players. Some players might 
collude to cheat in the protocol as to obtain information 
about secret inputs of the other players or to modify the 
result of the computation. Possible collusions of cheaters 
are modelled by adversary structures 

Definition 1 An adversary structure is a monotone set 
A C 2 P , i. e., for subsets S' C S of P the property S E A 
implies S' E A. 

The main properties of a multi party protocol are: 

1. A multi party protocol is said to be A-secure if no single 
collusion from A is able to obtain information about the 
secret inputs of other participants which cannot be derived 
from the result and the inputs of the colluding players. 

2. A multi party protocol is A-partially correct if no possible 
collusion can let the protocol terminate with a wrong result. 

3. A multi party protocol is called A-fair if no collusion from 
A can reconstruct the result of the multi party computation 
earlier then all honest participants together. No collusion 
should be able to run off with the result. 

We will be more strict here and demand robustness 
even against disruptors. 

2' A multi party protocol is A- correct whenever no single col- 
lusion from A can abort the protocol, modify its result, or 
take actions such that some player gets to know a secret 
value. 

A protocol is called A- robust if it has all of the above 
properties. Note that we will allow only one collusion 
to cheat, but we think of every single player as being 
curious, i.e., even if he is not in the collusion actually 
cheating he will eavesdrop all information he can obtain 
without being detected cheating 

With oblivious transfer all multi party protocols can 
be realized with perfect security if all players are coop- 
erating But a collusion of players can abort the 
calculation, see next section. 



Classically one can avoid this problem only by intro- 
ducing a new cryptographic primitive which is more pow- 
erful than oblivious transfer jl2],D • 

This paper analyzes three party quantum protocols 
and how they can cope with the problem of disruption. 
We prove that there are situations where a quantum 
channel is strictly more powerful than oblivious trans- 
fer. Together with the results of 0,11,0 we can conclude 
that the cryptographic power of a quantum channel is 
uncomparable to the power of oblivious transfer. 



II. IMPOSSIBILITY OF CLASSICAL THREE 
PARTY PROTOCOLS 

To clearly show the advantage of quantum protocols 
we restate the following impossibility result of [lj. 

Lemma 2 Let P be a set of players for which each pair 
of players is connected by a (private) oblivious transfer 
channel and each player has access to an authenticated 
broadcast channel. Then A-robust multi party computa- 
tions are possible for all functions if and only if no two 
sets of A cover P \ {Pi} for a player Pi E P or \P\ = 2. 



The basic idea to prove this impossibility result of 
is to have two possible collusions A\, A-i covering P\{P, 
(for a player Pi) where either all players from A\ or all 
players from A-i refuse to cooperate with the players of 
the other possible collusion. Then the single player Pi 
has to assist all other players. In |jj it is proven that one 
cannot avoid that the player Pi learns a secret. 

Especially three party protocols cannot necessarily be 
realized robustly if every player is possibly cheating. 



III. THREE PARTY PROTOCOLS 

If all players in a three party protocol cooperate we can 
use the protocols of ]Tl[ | to implement „4-robust quantum 
multi party protocols. Hence we focus on the situation 
where three players (Alice, Bob, and Helen) want to per- 
form three party protocols and Alice and Bob are in con- 
flict. One of the two is refusing to cooperate with the 
other and it is unclear for Helen who is cheating. 

As a first step we will introduce a bit commitment pro- 
tocol for Alice and Bob. The idea is that Alice sends her 
quantum states via Helen and Bob does not know which 
quantum data is coming from Helen and which data is 
just forwarded by Helen. Hence Bob cannot complain 
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without reason or he risks to be detected cheating by He- 
len. Forwarding information as if it were ones own with- 
out being able to eavesdrop is impossible classically. One 
further advantage of the protocol below is that Alice can 
forward all information via Helen and Bob cannot know 
whose information it is: An anonymous quantum chan- 
nel. This way Bob cannot distinguish between commit- 
ments of Alice and "pretended" commitments of Helen. 
Later we want to follow this idea with larger protocols 
containing this bit commitment protocol as a subproto- 
col. Then we let Alice forward all her information via 
Helen. 
Commit(6) 

FOR i 6 {1, ... ,1} DO 

1. Alice gives a random string r of qubits encoded in random 
bases s £ {+, x} to Helen. 

2. Helen sends a substring to Bob interleaved with quantum 
states of her own. Helen tells Alice which quantum states are 
hers without revealing information about which substring 
she forwarded. 

3. Bob announces to have received all quantum states. With a 
probability of 1/2 he publishes all his measurement results. 

4. Alice opens to Helen the bases she used. Now Alice is bound 
to the parity bit of r. 

OD 

5 Alice is now bound to the Xor of all quantum states (which 
were not measured and published by Bob) Alice announces 
(via Helen if needed) if this parity bit is equal to the bit b 
she originally wanted to commit to. 

Unveil 

1. Alice opens (via Helen if necessary) all choices she made. 

2. Helen and Bob check consistency. 

Lemma 3 For A = {{Alice}, {Bob}, {Helen}} the 
above protocol realizes an A-robust bit commitment for 
Alice which binds her to Bob and to Helen even if Alice 
and Bob are in conflict. 

Proof: We say the protocol has failed if many of the 
quantum states measured and published by Bob do not 
match what Alice sent or what Helen sent. If there are 
only very few cases with discrepancies the protocol is 
considered a success. 

If the protocol does not fail then the protocol is con- 
cealing to Helen. Helen has sent some substrings to Bob 
and as she could not know which substrings would be 
measured and published by Bob there are some sub- 
strings which she forwarded, but which were not tested. 
Hence Helen cannot measure the overall parity bit b even 
after getting to know the bases. Helen cannot measure 
before getting to know the bases as she will be detected 
cheating whenever Bob measures and publishes a quan- 
tum state she disturbed. 

If the protocol did not fail it is concealing to Bob unless 
Helen and Bob collude. This is clear as Bob does not have 
the complete quantum state, and can hence not measure 
the parity bit. 

If the protocol did not fail it is binding for Alice unless 
she colludes with Helen, which is impossible according to 
our assumption. 



If the protocol failed there are two cases to be consid- 
ered. First, Bob published a lot of measurement results 
which do not match what Alice sent, but Helen was not 
complaining about Bob, then it is clear for Alice that He- 
len and Bob collude somehow, but as this is not possible 
according to our assumption this will not happen. The 
second case is that Helen complains about Bob, then Bob 
is identified as a cheater as every player complains about 
Bob. □ 

As Alice is by the above protocol bound to Bob and 
Helen we have bit commitment from Alice to Bob and 
from Alice to Helen and from Bob to Alice and from 
Bob to Helen. As the quantum channel between Alice 
and Helen and between Bob and Helen is working we 
even have oblivious transfer from Helen to Alice and from 
Helen to Bob by forcing honest measurements with bit 
commitment [ |L3| . 

Corollary 4 The above sketched oblivious transfer pro- 
tocol between Alice and Helen and between Bob and He- 
len is A-robust and becomes A-robust after it termi- 
nated for A = {{Alice}, {Bob}, {Helen}} and A = 
{{Alice, Bob}, {Helen}}. 

Proof: The bit commitment used for forcing measur- 
ments need only be shortly binding. It need only be 
binding until the honest measurement is performed unre- 
versibly. Hence the collusion {Alice, Bob}, which would 
be able to violate the binding condition but not the con- 
cealing condition of the above bit commitment, cannot 
cheat after the measurement is performed. □ 
Next we have to define some notions which are impor- 
tant for multi party protocols. Details can be looked up 




Definition 5 A bit commitment with Xor (BCX) to a 
bit b is a commitment to bits b\L, biL, . . . , b m h, bin, . . . , 
b m R such that for each i 6,l © bin = b. 

The following result about zero knowledge proofs on 
BCX can be found in || and in references therein. 

Theorem 6 Bit commitments with Xor allow zero 
knowledge proofs of linear relations among several bits 
a player has committed to using BCX. Especially 
(in) equality of bits or a bit string being contained in a 
linear code. 

Furthermore BCXs can be copied, as proofs may de- 
stroy a BCX. 

In a multi party scenario it is necessary that a player 
should be committed to all other players. In our three 
party case this is given by our bit commitment protocol 
which binds one player (Alice or Bob) to the other two. 
For Helen the following global bit commitment with Xor 
can be implemented by Corollary |] and the techniques 
used in B as she is not in conflict with anyone. 
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Definition 7 A global bit commitment with Xor 
(GBCXJ is a BCX commitment from a player Alice £ P 
to all other players such that all players are convinced 
that Alice did commit to the same bit in all the different 
BCX. 

Corollary 8 Zero knowledge proofs of linear relations 
among several GBCX are possible. Furthermore GBCX 
can be copied by copying the individual BCX. 

On these commitments operates the committed oblivi- 
ous transfer protocol, defined in 0] which forms the basis 
of our multi party protocols. 

Definition 9 Given two players Alice and Bob where Al- 
ice is committed to bits bo,b\ and Bob is committed to 
a bit a. Then a committed oblivious transfer protocol 
(COT) is a protocol where Alice inputs her knowledge 
about her two commitments and Bob will input his knowl- 
edge about his commitment and the result will be that Bob 
is committed to b a . 

In a global committed oblivious transfer protocol all 
players are convinced of the validity of the commitments, 
i.e., that indeed Bob is committed to b a after the protocol. 

As Helen is not actively cheating by assumption and 
Alice or Bob cannot complain about Helen without being 
expelled from the protocol we can realize GCOT from 
Helen to Alice and from Helen to Bob by following the 
protocol of [Q. To realize GCOT from Alice to Bob is 
more difficult. We will do this in two steps. First we 
realize a subprotocol which we call subGCOT and second 
we will observe that all other steps can be realized easily 
once one round of subGCOT was successfull. 

To realize subGCOT between Alice and Bob we carry 
out the first 7 steps of the GCOT protocol of Q in a 
way that Bob cannot decide if the data comes from Alice 
or from Helen if he then complains without reason he 
risks to get in conflict with Helen, which would prove 
him cheating. 

subGCOT 

2 Alice randomly picks co , c\ from a previously agreed on code 
C (for requirements on C see M) and commits to all bits 
of the codewords, and proves that the codewords fulfil the 
linear relations of C (for the zero knowledge technique used 
confer Q). 

3 Bob randomly picks Iq, 7i C {1, . . . , M}, with io = |^l| = 
am (cr is a parameter of the code C), I\ PI lo = and sets 
b l <— b for i £ Iq and b l <— b for i £ Iq. 

4 Alice runs OT(cj, c\)(b x ) with Bob (by Q and the above 
bit commitment which binds Bob to Helen and Alice) who 
gets w % for i 6 {1, . . . ,m}. Bob tells I = Iq U Ii to Alice 
who opens Cq,c| for each i a I. 

5 Bob checks that w l = cL for i 6 Jo and ui ! = c' b for i £ I\ , 
sets w l <— c b , for i £ Iq and corrects w using the code C's 
decoding algorithm, commits to w % for i £ {1, . . . , m}, and 
proves that w 1 . . . w m £ C. 

6 All players together randomly pick a subset I2 C {1, . . . , m} 
with I/2I = am, I2 n / = and opens Cq and c\ for i £ I2. 



7 Bob proves that w 1 = c' b for i £ I r 2- 

Alice and Helen play subGCOT with Bob in a way 
that Alice plays via Helen using the above bit commit- 
ment protocol and the forcing measurement technique 
of |l3| such that Bob cannot distinguish between com- 
mitments/quantum states of Alice and pretended com- 
mitments/quantum states of Helen, then Bob cannot des- 
tinguish between the subGCOT protocols he plays with 
Alice and those which are pretended by Helen. Two cases 
can occur: 

1. After I trials a subGCOT protocol was successful 
from Alice to Bob and neither player complains. 
This subGCOT protocol can be used to perform 
GCOT from Alice to Bob, as all other steps of 
GCOT are not critical. 

2. After / trials no subGCOT protocol between Al- 
ice and Bob was successfull. Then, as Helen and 
Bob do not collude and Bob cannot distinguish be- 
tween Alices and Helens data, it is clear that Alice 
is cheating if Bob only complained about her data 
and it is clear that Bob is cheating if he complained 
about Helen as well as Alice. 

Once Alice and Bob were able to run one round of 
subGCOT they can complete this protocol to a GCOT 
protocol by the steps: 

8 Alice randomly picks and announces a privacy amplification 
function h : {0, l} m — > {0, 1} such that ag = h(co) and ai = 
/i(ci) and proves ao = h{c^, . . . , c™) and ai = h{c\, . . . , c™). 

9 Bob sets a <— h(w), commits to a and proves a = 
hiw 1 . . .,w m ). 

Alice and Bob give their proofs (following the proce- 
dure of in the above steps to Helen. Hence the proofs 
must be correct as no one can risk to get into conflict 
with Helen, also convincing Helen is enough as she is not 
colluding with Alice or with Bob. 

For the corectness of the GCOT protocol we refer to 
the proof in We conclude: 

Lemma 10 Even if Alice and Bob are in conflict 
there exists an A-robust protocol for GCOT between 
Alice and Helen, Bob and Helen and Alice and 
Bob. This protocol becomes A-robust after it termi- 
nated for A = {{Alice}, {Bob}, {Helen}} and A = 
{{Alice, Bob}, {Helen}}. 

Proof: By Corollary |i| we can have oblivious transfer 
from Helen to Alice and from Helen to Bob. As Helen 
cannot be in conflict with Alice or Bob (or a cheater can 
be identified) we can realize GCOT from Helen to any 
other player by the protocols of Q with the security of 
the oblivious transfer channel of Corollary^. 

The above protocol for GCOT between Alice and Bob 
is still concealing for Helen even if Alice and Bob collude, 
but the resulting commitments need not be binding any 
more. This is no problem as we allow Alice and Bob to 
collude only after the termination of the protocol (See 
comment after Theorem [n]). □ 
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From a bit commitment which can bind one player to 
the two other players we can realize GBCX and together 
with a GCOT protocol working in at least one direction 
between every two players we can obtain all three party 
protocols, see Q (and M for creating a distributed bit 
commitment, which is needed in dJ, in the presence of 
conflicts). Hence we can conclude: 

Theorem 11 For three players Alice, Bob, and Helen 
all functions can be realized by quantum multi party pro- 
tocols if two players are honest. The protocol becomes 
{{Alice}, {Bob}, {Helen}} U {A}-secure after its execu- 
tion if there is a player outside of A nobody complained 
about. 

Note that the bit commitment used during the protocol 
is not necessarily binding after Alice and Bob collude. If 
one wants to implement a long binding bit commitment 
one has to implement it as a multi party computation. 



IV. A COMPLETENESS THEOREM FOR 
QUANTUM MULTI PARTY PROTOCOLS 

In the paper [fill quantum multi party protocols were 
proposed which use secret sharing to force measurements 
to implement oblivious transfer. Then these protocols 
follow [Q to implement multi party computations with 
oblivious transfer. 

There was an impossibility result in [jllj that quantum 
multi party protocols for all functions become impossi- 
ble if two possible collusions cover the set P of players. 
But due to the use of oblivious transfer this had to be 
weakened to the condition of Lemma ^. The impossibil- 
ity result of [[yj did not seem to be sharp. Now we can 
prove that the result is indeed sharp as we can imple- 
ment multi party protocols even in the case not covered 
by [0: 

Theorem 12 A-robust quantum multi party protocols 
for all functions are possible if and only if no two col- 
lusions of A cover the set P of players. 

These protocols become A-robust after termination for 
an adversary structure A which may contain one and 
only one complement of a set of A. 

Proof: If one looks at [|lT| one can see that the above 
theorem is proven there for all cases but one. The case 
left open is that two collusions Ai, A^, covering P\ {Pi} 
for a player Pi, are in conflict such that no player from 
A\ can use the oblivious transfer to any player of A^ (and 
vice versa). 

In this case we can proceed analogously to our three 
party protocols. All commitments are made via Pi (He- 
len) and equality of commitments is proven to Helen. 
This way we obtain GBCX in a way that whenever a 
player complains a cheater can be identified. 

The GCOT protocol can be realized analogously to 
the above three party protocol. A player Alice 6 A\ runs 



subGCOT via Helen with a player Bob S A2 such that 
Bob cannot distinguish data from Helen and data from 
Alice. Again Bob cannot complain without either being 
detected cheating or proving that Alice cheats. On top 
of subGCOT GCOT can easily be realized. With GBCX 
and GCOT we can realize all multi party protocols Q| 
if one keeps in mind that distributed bit commitments 
can be realized without problems even when conflicts are 
present (T). 

The set A £ A, for which A c may be contained in A, 
can in the above case be chosen to be any set containing 
Helen. _ □ 

The set A can even contain more than one complement 
of a set of A provided Helen is not in the additional 
collusion. The protocol seems to be more secure than a 
quantum protocol where no complains were present. This 
is true, due to the fact that Helen becomes a trustable 
third party in the way that we know she is not colluding 
with anyone. This shows that conflicts appearing during 
the protocol can yield additional information which can 
be exploited to increase the security. 

One of the ideas of this paper, namely to anonymizc 
oblivious transfer, can also be applied to classical proto- 
cols. With the primitive of anonymous oblivious transfer 
all multi party protocols become possible with perfect 
security, and whenever a player tries to abort the pro- 
tocol this player is identified or the protocol terminates 
correctly 
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